September 23, 2013
Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.
By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch.
The fact that fingerprints can be lifted is not really up for debate— CSI technicians have been doing it for decades. The big question with TouchID was whether or not Apple could implement a design that would resist attacks using lifted fingerprints, or whether they would join the long line of manufacturers who had tried but failed to implement a completely secure solution. Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial. Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician. First you have to obtain a suitable print. A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone. Try it yourself. Hold an iPhone in your hand and try the various positions that you would use the phone in. You will notice that the thumb doesn’t often come into full contact with the phone and when it does it's usually in motion. This means they tend to be smudged. So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.
Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original. So now what? If you got this far, the chances are you have a slightly smudged print stuck to a white card. Can you use this to unlock the phone? This used to work on some of the older readers, but not for many years now, and certainly not with this device. To crack this control you will need to create an actual fake fingerprint.
Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer. First of all, you have to photograph the print, remembering to preserve scale, maintain adequate resolution and ensure you don’t skew or distort the print. Next, you have to edit the print and clean up as much of the smudging as possible. Once complete, you have two options:
- The CCC method. Invert the print in software, and print it out onto transparency film using a laser printer set to maximum toner density. Then smear glue and glycerol on the ink side of the print and leave it to cure. Once dried you have a thin layer of rubbery dried glue that serves as your fake print.
- I used a technique demonstrated by Tsutomu Matsumoto in his 2002 paper “The Impact of Artificial “Gummy” Fingers on Fingerprint Systems”. In this technique, you take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called “etching” which washes away all of the exposed copper leaving behind a fingerprint mold. Smear glue over this and when it dries, you have a fake fingerprint.
Using fake fingerprints is a little tricky; I got the best results by sticking it to a slightly damp finger. My supposition is that this tactic improves contact by evening out any difference in electrical conductivity between this and the original finger.
So what do we learn from all this? Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it. However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.
TouchID is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.
Today, we have more sensitive data than ever before on our smart devices. To be honest, many of us should treat our smartphone like a credit card because you can perform many of the same financial transactions with it. Fingerprint security will help protect you against the three biggest threats facing smartphone users today:
- Fingerprint security will protect your data from a street thief that grabs your phone.
- Fingerprint security will protect you in the event you drop/forget/misplace your phone.
- Fingerprint security could protect you against phishing attacks (if Apple allows it)
Fingerprint security has a darker side though: we need to carefully evaluate how its data is going to be managed and the impact it will have on personal privacy. First and foremost is the question of how fingerprint data will be managed. As Senator Al Franken pointed out to Apple in his letter dated September 19, we only have ten fingerprints and a stolen or public fingerprint could lead to lifelong challenges. Just imagine your fingerprints turning up at every crime scene in the country!
The big questions here are:
- What data does Apple capture from a finger as it is enrolled?
- How is this data stored and how is it accessed?
- Can this data be used to recreate a user's fingerprint mathematically or through visual reconstruction?
In a similar fashion, fingerprints are viewed quite differently to passwords and PINs in the eyes of the law. For example, the police or other law enforcement officials can compel you to surrender your fingerprints, something they currently can’t do quite as easily with passwords or PINs despite some recent judicial challenges to that position.
As a technology, fingerprint biometrics has a flaw that’s likely to be repeatedly exposed and fixed in future products. We shouldn’t let this distract us or make us think that fingerprint biometrics should be abandoned, instead we should ensure that future products and services are designed with this in consideration. If we play to its strengths and anticipate its weaknesses, fingerprint biometrics can add great value to both security and user experience.
What I, and many of my colleagues are waiting for (with bated breath), is TouchID enabled two-factor authentication. By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger. Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses.
Imagine a banking application where on startup you use a fingerprint for convenience - it’s nice and quick and only needs to ensure the right person has started it. However as soon as you want to do something sensitive like check a balance or transfer some funds we kick it up a notch by asking for a two factor authentication - the fingerprint and a 4 digit pin. This combination is strong enough to protect the user against most scenarios from physical theft through to phishing attacks.
If implemented correctly, TouchID enabled two-factor authentication in enterprise applications could be a good defense against phishing attacks by attackers like the Syrian Electronic Army. You can trick a user into giving up any kind of passcode but, it is much harder to trick a user into giving up his or her fingerprints from the other side of the world.
Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.
For starters, Apple —can we have two-factor authentication please?